MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b25c916108e990357c009d88c075fda55419b5a13da0a3b2dc5643b607bb6b0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b25c916108e990357c009d88c075fda55419b5a13da0a3b2dc5643b607bb6b0e
SHA3-384 hash: e8f0d606fe6177d2c3d7dbd14769a4c21c712ee9bd1c7f29319219f3640e6c76ab4609148a55dfbd23f1d82b2e3e2b3b
SHA1 hash: fb7f6c7a3ec5a59345e4aa55baca5dcb1e9afa12
MD5 hash: b54fddcb8d09a680c5eb404889126af3
humanhash: harry-mars-stream-oranges
File name:Bandicam crack.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:4'017'664 bytes
First seen:2023-01-23 10:00:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2612fb848cf4ac8d179f70754ebbda6b (3 x RedLineStealer, 2 x RaccoonStealer, 1 x ArkeiStealer)
ssdeep 98304:tKvNd9ERHFzGO0a38SDqr7LkBqxyGVKl7kiiX0M:tKr9ERHFb0a3nK7oBEDXr
Threatray 1'539 similar samples on MalwareBazaar
TLSH T1B0062373126314C9E4F5C53DC63BFDF471F64A268A42983D69DABAC62A358F0E203653
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4505/5/1)
5.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
Bandicam crack.exe
Verdict:
Malicious activity
Analysis date:
2023-01-23 10:02:53 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/d7973bbd-62da-4942-84e4-33ec74db5d21

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355835/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62427/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/63ce5ae02b351a3d0ea7ddf5/reports/bf3f4b0a-9caf-4de8-a1a5-9a96ac85e687/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19b913ce-8ddb-4d0e-aa55-1e00f55fad66
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b25c916108e990357c009d88c075fda55419b5a13da0a3b2dc5643b607bb6b0e/
Threat name:
Win32.Infostealer.Bandra
Create hunting rule
Status:
Malicious
First seen:
2023-01-23 10:01:10 UTC
File Type:
PE (Exe)
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wjojcyii5gidk7aatwema5p5uvkbtnnbhwqkhmw4kzb3mb53nmha._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
12567de24a8dbc6c0103aa263217ad240098d7545e32546f35fd5b791b1869fa
ArkeiStealer
2e205ecc398903361efb69b5790716a47b76301e7b8ad3be506fbde96ee6ffe7
ArkeiStealer
4b1338eceb20e531dca686256b82a8aa56e75aeb4b53f54d08900dd75fc0b19f
ArkeiStealer
4c98097c2e234a8cb19327c9ddaa9b8c8669dd0f0a95fd71912282e6f0cf50d5
ArkeiStealer
68d471be0c90161c04cd1645b4cb63cef52a7ad79ecf4de62331befb19645f58
ArkeiStealer
6e3f1055521e01bd967f22fd68b48410342264b62cf7b7998a6686a2141d4d67
ArkeiStealer
8116aab7428774d74e15738db29842052c5f1a7c6bb4259026f75872c500b022
ArkeiStealer
88dbf134cd4628fc8b97cc1adf5201cae875df1fa5280b3cbc0306478161e9f4
ArkeiStealer
c035175a412100bdd59753f1bb7fb311513affdd095beeb7c8d10e68788d03f2
ArkeiStealer
+ 1'529 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:408 spyware stealer
Link:
https://tria.ge/reports/230123-l2bg7scg76/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar
Malware Config
C2 Extraction:
https://t.me/jetbim2
https://steamcommunity.com/profiles/76561199471266194
Unpacked files
SH256 hash:
a8deb4187abda5747fe39afdf5e2df0d6ba76ad4d091e28cf58585475517b6c2
MD5 hash:
2116d8ff7b1e9a718d6ed2cd85592baa
SHA1 hash:
657f018b69d235cd639bc1b66afb2d23f21634a6
Link:
https://www.unpac.me/results/8911ea5a-be69-4189-b4ae-3afee1b17d8f/
SH256 hash:
c209f6ca367c378465a0e8ff37d41b76f6917171a4eeb4324b71b6bb84c2b868
MD5 hash:
b5103ab1033dd673ac658e0ba086b628
SHA1 hash:
13a490c4eece784a97e5f050156d803b0a807f46
Link:
https://www.unpac.me/results/8911ea5a-be69-4189-b4ae-3afee1b17d8f/
SH256 hash:
b25c916108e990357c009d88c075fda55419b5a13da0a3b2dc5643b607bb6b0e
MD5 hash:
b54fddcb8d09a680c5eb404889126af3
SHA1 hash:
fb7f6c7a3ec5a59345e4aa55baca5dcb1e9afa12
Link:
https://www.unpac.me/results/8911ea5a-be69-4189-b4ae-3afee1b17d8f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b25c916108e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b25c916108e990357c009d88c075fda55419b5a13da0a3b2dc5643b607bb6b0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:Telegram_Links
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/355835/

Comments